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Unconditionally secure non-relativistic bit commitment is known to be impossible in both the 
classical and the quantum worlds. But when committing to a string of n bits at once, how far can 
we stretch the quantum limits? In this paper, we introduce a framework for quantum schemes where 
Alice commits a string of n bits to Bob in such a way that she can only cheat on a bits and Bob can 
learn at most b bits of information before the reveal phase. Our results are two-fold: we show by an 
explicit construction that in the traditional approach, where the reveal and guess probabilities form 
the security criteria, no good schemes can exist: a + b is at least n. If, however, we use a more liberal 
criterion of security, the accessible information, we construct schemes where a = 41og 2 n + 0(l) and 
b = 4, which is impossible classically. We furthermore present a cheat-sensitive quantum bit string 
commitment protocol for which we give an explicit tradeoff between Bob's ability to gain information 
about the committed string, and the probability of him being detected cheating. 

PACS numbers: 



Commitments play an important role in modern day 
cryptography. Informally, a commitment allows one 
party to prove that she has made up her mind and can- 
not change it, while hiding the actual decision until later. 
Imagine two mutually distrustful parties Alice and Bob 
at distant locations. They can only communicate over 
a channel, but want to play the following game: Alice 
secretly chooses a bit x. Bob wants to be sure that Al- 
ice indeed has made her choice. At the same time, Alice 
wants to keep x hidden from Bob until she decides to 
reveal x. To convince Bob that she made up her mind, 
Alice sends Bob a commitment. From the commitment 
alone, Bob cannot deduce x. At a later time, Alice re- 
veals x and enables Bob to open the commitment. Bob 
can now check if Alice is telling the truth. This scenario 
is known as bit commitment. 

Bit commitment is a very powerful cryptographic prim- 
itive with a wide range of applications. It has been 
shown that quantum oblivious transfer (QOT) pQ can 
be achieved provided there exists a secure bit com- 
mitment scheme [U [3]. In turn, oblivious transfer is 
known to be sufficient for solving the general prob- 
lem of secure two-party computation |4j |5]. Commit- 
ments are also useful for constructing zero-knowledge 
proofs [5]. Furthermore, a bit commitment protocol can 
be used to implement secure coin tossing [7]. Classi- 
cally, unconditionally secure bit commitment is known 
to be impossible. Unfortunately after several quantum 
schemes were suggested [5J [H [TO] , non-relativistic quan- 
tum bit commitment has also been shown to be impos- 
sible PH [H [H El EG3 EES]- Only very limited degrees 
of concealment and binding can be achieved [17j . In the 
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face of these negative statements, what can we still hope 
to achieve? 



A. String Commitment 

Here we take a different approach and look at the task 
of committing to a string of n bits at once in the setting 
where Alice and Bob have unbounded resources. Since 
perfect bit commitment is impossible, perfect string 
commitment is impossible, too. However, is it possible 
to design meaningful string commitment schemes when 
we allow for a small ability to cheat on both Alice's and 
Bob's side? To make this question precise, we introduce 
a framework for the classification of string commitments 
in terms of the length n of the string, Alice's ability to 
cheat on a bits and Bob's ability to acquire b bits of 
information before the reveal phase. Instead of asking for 
a perfectly binding commitment, we allow Alice to reveal 
up to 2 a strings successfully: Bob will accept any such 
string as a valid opening of the commitment. Formally, 
we demand that J2xe{o i}" Px — 2 a , where p% is the 
probability that Alice successfully reveals string x during 
the reveal phase. Contrary to classical computing, Alice 
can always choose to perform a superposition of string 
commitments without Bob's knowledge. Thus even for 
a perfectly binding string commitment we would only 
demand J2 x e{o i}" Px — 1' smce a strategy based on 
superpositions is indistinguishable from the "classical" 
honest behaviour of choosing a string beforehand and 
then committing to it. At the same time, we relax Bob's 
security condition, and allow him to acquire at most b 
bits of information before the reveal phase. The nature 
of his security definition is crucial to our investigation: If 
b determines a bound on his probability to guess Alice's 
string, then we prove that a + b is at least n (up to a 
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small constant). We write (n, a, £>)-QBSC for a quantum 
bit string commitment protocol where the string has 
length n and a and b are the security parameters for 
Alice and Bob as explained in detail below. In Section |TT| 
we show 

Impossibility of (n, a, 6)-QBSC: 

Every (n, a, 6)-QBSC scheme with a + b + c < n is 
insecure, where c ~ 7.61. 

Our proof makes use of privacy amplification with two- 
universal hash functions. If the protocol is executed 
multiple times in parallel, we prove that any quantum 
bit string commitment protocol with a + b < n is inse- 
cure. We refer to these results as "impossibilities", as 
they show that QBSCs offer almost no advantage over 
the trivial classical protocol: Alice first sends b bits of 
the n bit string to Bob during the commit phase, and 
then supplies him with the remaining n — b bits in the 
reveal phase. 

The second part of the paper is devoted to the "possi- 
bility" of QBSC. If we weaken our standard of security 
and measure Bob's information gain in terms of the 
accessible information, it becomes possible to construct 
meaningful QBSC protocols with a = 41og 2 n + O(l) 
and 6 = 4. Our protocols are based on the effect of 
locking classical information in quantum states |18j . 
This surprising effect shows that given an initial shared 
quantum state, the transmission of I classical bits can 
increase the total amount of correlation by more than £ 
bits. In Section |llTl we show 

Possibility of (n, a, b) - QBSC Jqcc : 

For n > 3, there exist (n, 41og 2 n + 0(1), 4) - QBSC 7acc 
protocols. 

We then consider cheat-sensitive protocols: Even 
though Bob is in principle able to gain a large amount 
of information on Alice's committed string, honest Alice 
has a decent probability of detecting such an attempt to 
cheat the protocol. We give an explicit tradeoff between 
Bob's information gain, and Alice's ability to catch him 
cheating. In Section |IV[ we show 

Possibility of cheat-sensitive 

(n,l,n/2)-QBSC 7 _: 
There exist a (n, 1, n/2) — QBSC 7 that is 
cheat-sensitive against Bob. If Bob is detected cheating 
with probability less than e, then his classical 
information gain is less than 4y / elog 2 d + 2/i(2y / e) with 
jtt(x) = min{— irlog 2 x, 1/e}. 

B. Related Work 

To obtain bit commitment, different restrictions have 
been introduced into the model. Salvail [TDJ showed that, 



for any fixed n, secure bit commitment is possible pro- 
vided that the sender is not able to perform generalized 
measurements on more then n qubits coherently. Large 
n coherent measurements are not yet feasible, so his re- 
sult provides an implementation which is secure under a 
plausible technological assumption. DiVincenzo, Smolin 
and Terhal took a different approach [2D], showing that 
if the bit commitment is forced to be ancilla-free, a type 
of asymptotic security is still possible. Bit commitment 
is also possible if the adversary's quantum storage is 
bounded [2TJ [22J [23] or noisy [23] . Classically, introduc- 
ing restrictions can also open new possibilities. Cachin, 
Crepeau and Marcil have shown how to implement bit 
commitment via oblivious transfer under the assumption 
that the size of the receiver's memory is bounded |25j . 
Furthermore, the assumption of a noisy channel can be 
sufficient for oblivious transfer [26] [27]. A new cryp- 
tographic task — called cheat-sensitive bit commitment — 
has been studied by Hardy and Kent [25] , as well as Aha- 
ranov, Ta-Shma, Vazirani and Yao [2D]: no restrictions 
are placed on the adversary initially, but an honest party 
should stand a good chance of catching a cheater. Kent 
also showed that bit commitment can be achieved using 
relativistic constraints |30j . 

Classically, string commitment is directly linked to bit 
commitment and no interesting protocols are possible. 
Kent |31j first asked what kind of quantum string com- 
mitment (QBSC) can be achieved. He gave a protocol 
under the restrictive assumption that Alice does not com- 
mit to a superposition |32] . His protocol was modified for 
experimental purposes by Tsurumaru |33j . 



I. PRELIMINARIES 

A. Framework 

We first formalize the notion of quantum string com- 
mitments in a quantum setting. 

Definition 1 An (n, a, b)- Quantum Bit String Commit- 
ment ( QBSC) is a quantum communication protocol be- 
tween two parties, Alice (the committer) and Bob (the 
receiver) , which consists of two phases and two security 
requirements. 

• (Commit Phase) Assume that both parties are hon- 
est. Alice chooses a string x € {0, 1}™ with prob- 
ability p x . Alice and Bob communicate and at the 
end Bob holds state p x . 

• (Reveal Phase) If both parties are honest, Alice and 
Bob communicate and at the end Bob learns x. Bob 
accepts. 

• (Concealing) If Alice is honest, Y^ x e{o,i} n p x\x - 
2 b , where p^, is the probability that Bob correctly 
guesses x before the reveal phase. 
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• (Binding) If Bob is honest, then for all commit- 
ments of Alice: J2xe{o i}" Px — 2 a , where p x is the 
probability that Alice successfully reveals x. 

We say that Alice successfully reveals a string x if Bob 
accepts the opening of x, i.e. he performs a test de- 
pending on the individual protocol to check Alice's hon- 
esty and concludes that she was indeed honest. Note 
that quantumly, Alice can always commit to a superpo- 
sition of different strings without being detected. Thus 
even for a perfectly binding bit string commitment (i.e. 
a — 0) we only demand that XLefo i}» Px — 1; whereas 
classically one wants that p x , — S x , x >. Note that our 
concealing definition reflects Bob's a priori knowledge 
about x. We choose an a priori uniform distribution (i.e. 
p x = 2~ n ) for (n, a, 6)-QBSCs, which naturally comes 
from the fact that we consider n-bit strings. A general- 
ization to any (Px , a, 6)-QBSC where Px is an arbitrary 
distribution is possible but omitted in order not to ob- 
scure our main line of argument. Instead of Bob's guess- 
ing probability, one can take any information measure 
B to express the security against Bob. In general, we 
consider an (n, a, 6)-QBSC B where the new concealing 
condition B(£) < b holds for any ensemble £ = {p x ,p x } 
that Bob can obtain by a cheating strategy. In the latter 
part of this paper we show that for B being the accessi- 
ble information non-trivial protocols, i.e. protocols with 
a + b <C n, exist. The accessible information is defined 
as I acc (£) — mastM PyX;Y), where Px is the prior dis- 
tribution of the random variable X, Y is the random 
variable of the outcome of Bob's measurement on £, and 
the maximization is taken over all measurements M. 



B. Model 

We work in the model of two-party non-relativistic 
quantum protocols of Yao [5] and then simplified by Lo 
and Chau |12i which is usually adopted in this context. 
Here, any two-party quantum protocol can be regarded 
as a pair of quantum machines (Alice and Bob), interact- 
ing through a quantum channel. Consider the product of 
three Hilbert spaces Ha, Hb and He of bounded dimen- 
sions representing the Hilbert spaces of Alice's and Bob's 
machines and the channel, respectively. Without loss of 
generality, we assume that each machine is initially in 
a specified pure state. Alice and Bob perform a num- 
ber of rounds of communication over the channel. Each 
such round can be modeled as a unitary transformation 
on Ha <8 He and Hb <8> He respectively. Since the pro- 
tocol is known to both Alice and Bob, they know the 
set of possible unitary transformations used in the pro- 
tocol. We assume that Alice and Bob are in possession 
of both a quantum computer and a quantum storage de- 
vice. This enables them to add ancillac to the quantum 
machine and use reversible unitary operations to replace 
measurements. By doing so, Alice and Bob can delay 
measurements and thus we can limit ourselves to proto- 



cols where both parties only measure at the very end. 
Moreover, any classical computation or communication 
that may occur can be simulated by a quantum com- 
puter. Furthermore, any probabilistic operation can be 
modeled as an operation that is conditional on the out- 
come of a coin flip. Instead of a classical coin, we can use 
a quantum coin and in this way keep the whole system 
fully quantum mechanical. 

C. Tools 

We now gather the essential ingredients for our proof. 
First, we show that every (n, a, 6)-QBSC is an (n, a, b)- 
QBSC ? . The security measure £(£ ) is defined by 

Z{£)=n-H 2 (pAB\ P ), (1) 

where p A B = J2 x Px\ x )( x \ ® Px and P = J2 x P^Px are 
only dependent on the ensemble £ = {p x ,p x }. -^('l') 
is an entropic quantity defined in [34] H2(p AB \p) = 
— logTr((I eg) p~ 2 )pab) 2 - This quantity is directly con- 
nected to Bob's maximal average probability of successful 
guessing the string: 

Lemma 1 Bob's maximal average probability of 
successfully guessing the committed string, i.e. 
^PaiJ^xPxPxIx 1 where M ranges over all mea- 
surements and p B ,' M is the conditional probability of 

y\x 

guessing y given p x , obeys 

supVV^f >2-^(p-Ip). 

M x 

Proof. By definition the maximum average guess- 
ing probability is lower bounded by the average guessing 
probability for a particular measurement strategy. We 
choose the square-root measurement which has operators 
M x = p x p~i p x p~i ■ p x \ x = Tr(M x p x ) is the probability 
that Bob guesses x given p x , hence 

l °g2^2PxP x \T a * ^ ^Ss^Pl^iP'^PxP'^Px) 

X X 

= \ogTx(W®p-^)p AB f\ 
= -H 2 (pab\p) 

□ 

Related estimates were derived in [35] - For the uni- 
form distribution p x = 2~ n we have from the concealing 
condition that ^2 x p x \ x < 2 b which by Lemma jlj implies 
^ b and hence the following lemma. 

Lemma 2 Every (n,a,b)-QBSC is an (n,a,b)-QBSC^. 

Furthermore, we make use of the following theorem, 
known as privacy amplification against a quantum ad- 
versary. In our case, Bob holds the quantum memory 
and privacy amplification is used to find Alice's attack. 
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Theorem 1 (Th. 5.5.1 in [34j (see also [36])) Let 

Q be a class of two-universal hash functions from {0, 1}™ 
to {0,1} S . Application of g G Q to the random variable 
X maps the ensemble £ — {p x ,p x } to £ g = {q^,a^} 
with probabilities a® — J2xeg- 1 {y)Px an d quantum states 

°y = Exeg-Hy)PxPx- Then 

i^E^)^ ! r ' |fl2(MBlpHl . ( 2 ) 

where d(£) = 5{^2 x p x \x){x\ <g> p x ,l/2 n (g) p) (and simi- 
larly for d(£ g )) and S(a,f3) = \\\a — (3\\i with ||^4||i = 

Finally, the following reasoning, previously used to 
prove the impossibility of quantum bit commitment 
\T2] , will be essential: Suppose po and p\ are density op- 
erators that correspond to a commitment of a "0" or a 
"1" respectively. Let |0o) an d |0i) be the corresponding 
purifications on the joint system of Alice and Bob. If p 
equals p\ then Alice can find a local unitary transforma- 
tion U that she can apply to her part of the system and 
satisfying |0i) = U <8l|0o)- This enables Alice to change 
the total state from |</> ) to \4>i) and thus cheat. This 
also holds in an approximate sense , used here in the 
following form: 

Lemma 3 Let <5(po,Pi) < e and assume that the bit- 
commitment protocol is error-free if both parties are hon- 
est. Then there is a method for Alice to cheat such that 
the probability of successfully revealing a given that she 
committed to a 1 is greater or equal to 1 — V2e. 

Proof. 5(po,pi) < e implies F(p Q ,pi) > 1 — e. 
F(-, •) is the fidelity of two quantum states, which equals 
maxu \((j) \U (g>I|</>i)| by Uhlmann's theorem. Here, |0o) 
and are the joint states after the commit phase and 
the maximization ranges over all unitaries U on Alice's 
(i.e. the purification) side. Let \ipo) = U (E)I\<pi) for a U 
achieving the maximization. Then 

Wo><<Ul^oXV'ol) = VT^WoMl 

< v / HH 2 

< V2e. 

If both parties are honest, the reveal phase can be re- 
garded as a measurement resulting in a distribution 
Py (Pz) if 1 0o ) (IV'o)) was the state before the reveal 
phase. The random variables Y and Z carry the opened 
bit or the value 'reject (r)'. Since the trace distance 
does not increase under measurements, S(Py,Pz) < 
Wo) (0o U^oK^o I) < y/2e. Hence i(|Py(0) - P Z (Q)\ + 
|iV(l) - Pz{l)\ + \Pv(r) - P z {r)\) < V2~e. Since |0 O ) 
corresponds to Alice's honest commitment to we have 
P y (0) = 1, P Y (l) = Py(r) = and hence P z (0) > 
1 - v/2i. □ 



II. IMPOSSIBILITY 

The proof of our impossibility result consists of three 
steps: in the previous section, we saw that any (n, a, &)- 
QBSC is also an (n, a, 6)-QBSC ? with the security mea- 
sure £(£) defined eq. (0. Below, we prove that an 
(n, a, 6)-QBSC^ can only exist for values a, b and n obey- 
ing a + b+c > n, where c is a small constant independent 
of a, b and n. This in turn implies the impossibility of an 
(n, a, &)-QBSC for such parameters. At the end of this 
section we show that many executions of the protocol can 
only be secure if a + b > n. 

The intuition behind our main argument is simple: To 
cheat, Alice first chooses a two-universal hash function 
g. She then commits to a superposition of all strings 
for which g(x) = y for a specific y. We know from the 
privacy amplification theorem above, however, that even 
though Bob may gain some knowledge about x, he is 
entirely ignorant about y. But then Alice can change 
her mind and move to a different set of strings for which 
g(x) = y' with y ^ y' as we saw above! The following 
figure illustrates this idea. 




FIG. 1: Moving from y to y' . 



Theorem 2 (n,a,b)-QBSC^ schemes, and thus also 
(n,a,b)-QBSC schemes, with a + b+ c<ndo not ex- 
ist, c is a constant equal to 51og 2 5 — 4 « 7.61. 

Proof. Consider an (n, a, &)-QBSC^ and the case where 
both Alice and Bob are honest. Alice committed to x. 
We denote the joint state of the Alice-Bob- Channel sys- 
tem Ha ®7~Ib® 7~Lc after the commit phase by \4* x ) for 
input state \x). Let p x be Bob's reduced density matrix 
and let £ = {p x , p x } where p x = 2~ n . 

Assuming that Bob is honest, we will give a cheating 
strategy for Alice in the case where a+b+5 log 2 5—4 < n. 
The strategy will depend on the two-universal hash func- 
tion g : X = {0,1}" -> y = {0,l}"- m , for appropri- 
ately chosen m. Alice pic ks a y £ y and prepares the 
state E ier i (s) \x)\x))/yj\g- l \y)\. She then gives the 
second half of this state as input to the protocol and 
stays honest for the rest of the commit phase. The joint 
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state of Alice and Bob at the end of the com mit phase 
is thus |V^> = (Exeg-Hy) k)|^))/ v 4T T (y)T- The re- 
duced states on Bob's side are a 9 = ^Ylxeg- 1 (y)P x P x 
with probability q 9 = J2 xeg -i^ Px- We denote this en- 
semble by Eg. Let er = a 9 = J2 y 1y a y f° r an 9- 

We now apply Theorem [I] with s — n — m and £(£ ) < 6 

to obtain j^y E s es - £ where e = k 2 ~^ im ~ b) - 

Hence, there is at least one g such that d(£ g ) < e; intu- 
itively, this means that Bob knows only very little about 
the value of g(x). This g defines Alice's cheating strategy. 
It is straightforward to verify that d(£ g ) < e implies 

2 -(n-m )J26(a,a3)<2e. (3) 

V 

Let us therefore assume without loss of generality that 
Alice chooses yo € y with 8(a,a 9 ) < 2e. 

Clearly, the probability to successfully reveal some x 
in g^ 1 (y) given \ip 9 } is one. Note that Alice learns x, but 
can't pick it: she committed to a superposition and x is 
chosen randomly by measurement. Thus the probability 
to reveal y (i.e. to reveal an x such that y = g(x)) given 
\ip 9 } successfully is one. Let p x and q 9 denote the prob- 
abilities to successfully reveal x and y respectively and 
P~x\y ^ e ^ ne conditional probability to successfully reveal 
x, given y. We have 

x y x£g- 1 {y) y 

Recall that Alice can transform \ipy ) approximately 
into ) if a 9 is sufficiently close to a 9 , by applying lo- 
cal transformations to her part alone. It follows from 
Lemma [3] that we can estimate the probability of reveal- 
ing y, given that the state was really \i^ yo ). Since this 
reasoning applies to all y, on average, we have 

> £(l-2tyo*,o*)*) 
v y 

> 2 n ~ m -2h n - m (2 m - n ^2S(<7 9 o ,a 9 ))^ 

y 

> 2 «— [1 - 2=(2— "(£5«,<r) + 

> 2 n ~ m (l -2(2e)5), 

where the first inequality follows from Lemma [3] the sec- 
ond from Jensen's inequality and the concavity of the 
square root function, the third from the triangle inequal- 
ity and the fourth from eq. |3l and 8(a 9 o ,a) < 2e. Re- 
call that to be secure against Alice, we require 2° > 
2"-™(l - 2(2e)s). We insert e = \2~^ m - h \ define 
m = b + 7 and take the logarithm on both sides to get 

a + b+ 5 >n, (4) 

where S = 7 — log 2 (l — 2~ 7 / 4+1 ). Keeping in mind that 
1 — 2 i7 4+1 > (or equivalently 7 > 4), we find that 



the minimum value of 8 for which eq. Q is satisfied is 
S = 51og 2 5 — 4 and arises from 7 = 4(log 2 5—1). Thus, 
no (n, a, 6)-QBSC^ with a + b + 5 log 2 5 — 4 < n exists. □ 

Since the constant c does not depend on a, b and n, 
multiple parallel executions of the protocol in the form 
of multiple simultaneous commit phases followed by the 
corresponding opening phases, can only be secure if a + 
b > n: 

Proposition 1 Let P be an (n,a,b)-QBSC^ or (n,a,b)- 
QBSC. The m-fold parallel execution of P will be inse- 
cure ifa + b < n — c/m. In particular, no (n, a,b)-QBSC^ 
or (n, a, b)-QBSC with a + b < n can be executed securely 
an arbitrary number of times in parallel. Furthermore, 
no (n, a, b)-QBSC x with a + b < n and \ the Holevo in- 
formation can be executed securely an arbitrary number 
of times in parallel. 

Proof. In the following, we assume wlog that a and b 
are the smallest cheat parameters for P. Let Q denote 
the (nm, a m , 6 m )-QBSC^ or (nrn, a m , 6 m )-QBSC proto- 
col obtained by executing P m times in parallel. By 
Theorem |2j Q is insecure if a m + b m < nm — c. Since 
a and b were assumed to be the smallest cheat parame- 
ters for P, the product cheating attack by Alice and Bob 
lead to the estimates a m > am and b m > bm, respec- 
tively. Therefore, the m fold execution of P is insecure, 
if am + bm < a m + b m < nm — c or a + b < n — c/m. 

In order to prove the result about Holevo information 
QBSC, we will use a slightly different characterisation 
of privacy amplification in the proof of Theorem [2l In 
this characterisation, the right hand side of eq. (pi is 
replaced by k + 2" [- H mm(PAB|pB)-s] f or an arbitrary k > 
[34, Corollary 5.6.1]. Going through the proof with this 
change in mind, one sees that Q is not a (nm,a m ,b m )- 
QBSC H for E{£) =nm- H^ in (p AB \p) if a m + b m + 8 < 
mn. Here, E is the ensemble corresponding to Q and pab 
and p the related states; 8 = 8(k) is a positive constant 
independent of n. Since £ — £® m and thus pab = Pab 
and pab = p'ab we are a ^^ e t° invoke the estimate 

^^(pIb |P® m ) > H(pab) - H{p) 3A 

where A(k, m) —> as m — * 00 |34l Chain rule in Theorem 
3.1.12 and Theorem 3.3.4] in order to conclude that Q is 
not a (nm, a m , 6 m )-QBSC m(x(£)+2A) if a m + b m + 8 < mn. 
This shows that if P is a (nm, a m , b m )-QBSC m r x r £ \ + 2\) 
with a m m + (3 m m < a m + b m < nm — 8, i.e. a m + (3 m < 
n — 8/m, then its m-fold execution cannot be secure. 
Taking m to infinity we see that if P is an (n, a, £>)-QBSC x 
with a + b < n then it cannot be executed securely an 
arbitrary number of times in parallel. □ 

It follows directly from [37] that the results in this 
section also hold in the presence of superselection rules. 
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III. POSSIBILITY 

Surprisingly, if one is willing to measure Bob's ability 
to learn x using the accessible information, non-trivial 
protocols become possible. These protocols are based on 
a discovery known as "locking of classical information in 
quantum states" [18] . 

A. A Family of Protocols 

The protocol, which we call LOCKCOM(n, U), uses 
this effect and is specified by a set U = {U\, . . . , U\ U \} of 
unitaries. 

• Commit phase: Alice has the string x € {0,1}™ and 
randomly chooses r 6 {1, . . . , \U\}. She sends the 
state U r \x) to Bob, where U r € U. 

• Reveal phase: Alice announces r and x. Bob ap- 
plies UJ and measures in the computational basis 
to obtain x' . He accepts if and only if x' = x. 

We first show that our protocol is secure with respect 
to Definition [T| if Alice is dishonest. Note that our proof 
only depends on the number of unitaries used, and is 
independent of a concrete instantiation of the protocol. 

Lemma 4 Any LOCKCOM(n,U) protocol is log(|W|)- 
binding, i.e. 2 a < \U\, 

Proof. Let p£ denote the probability that Alice re- 
veals x successfully. Then, p^ < ^2 r p£ r , where p^ r is 
the probability that x is accepted by Bob when the re- 
veal information was r. Let p denote the state of Bob's 
system. Summation over x now yields 

x x,r 

= Y,Tv\x){x\U}pUr 

x,r 

= ^Trp = \U\, 

r 

hence a < log 2 \U\ □ 

In order to examine security against a dishonest Bob, 
we have to consider the actual form of the unitaries. 
We first show that there do indeed exist interesting pro- 
tocols. Secondly, we present a simple, implementable, 
protocol. To see that interesting protocols can exist, 
let Alice choose a set of 0(n A ) unitaries independently 
according to the Haar measure (approximated) and an- 
nounce the resulting set U to Bob. They then perform 
LOCKCOM(n,W). Following the work of [33], we now 
show that this variant is secure against Bob with high 
probability in the sense that there exist 0(n 4 ) unitaries 
that bring Bob's accessible information down to a con- 
stant: I acc (£) < 4: 



Theorem 3 Forn > 3, there exist (n, 41og 2 n+0(l), 4)- 
QBSC Iaac protocols. 

Proof. Let U ran denote the set of m randomly cho- 
sen bases and consider the LOCKCOM(n, a, b) scheme 
using unitaries U = U ran . Security against Alice is again 
given by Lemma[4] We now need to show that this choice 
of unitaries achieves the desired locking effect and thus 
security against Bob. Again, let d — 2™ denote the di- 
mension. It was observed in [T3J that 

lace < log 2 d + max^) ^ — H(Xj), 

i 

where Xj denotes the outcome of the measurement of \4>) 
in basis j and the maximum is taken over all pure states 
According to [38] Appendix B] there is a constant 
C > such that 




for d > 7 and e < 2/5. Set e = The RHS of 

the above equation then decreases provided that m > 
(=77(log 2 d) 4 . Thus with d — 2" and log 2 m = 41og 2 n + 
0(1), the accessible information is then I acc < log 2 d — 
( 1 — e) log 2 d + 3 = e log 2 d + 3 = 4 for our choice of e. □ 

Unfortunately, the protocol is inefficient both in terms 
of computation and communication. It remains open to 
find an efficient constructive scheme with those parame- 
ters. 

In contrast, for only two bases, an efficient construction 
exists and uses the identity and the Hadamard transform 
as unitaries. For this case, the security of the standard 
LOCKCOM protocol follows immediately: 

Theorem 4 LOCKCOM(n, {I® n , H® n }) is a 
(n, l,n/2) — QBSC Iaac protocol. 

Proof. It is sufficient to apply Lemma [4] and the fact 
that for Bob I acc < n/2 [H|3J]. □ 



IV. A CHEAT-SENSITIVE PROTOCOL 
A. Scenario and Result 

We now extend the protocol above to be cheat-sensitive 
against Bob. That is, even though Bob may be able to 
gain a lot of information on the committed string, Alice 
has a decent probability of catching Bob if he actually 
tries to extract such information [47] . 

We first extend our definition to accommodate cheat- 
sensitivity against Bob. 
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Definition 2 A (n, a,b)-B-QBSC is cheat-sensitive 
against Bob if there is a non-zero probability that he will 
be detected by Alice when he cheats. 

We elaborate below on the scenario in which we analyse 
Bob's cheating and thus make precise what we mean by 
saying Bob cheats. 

The following protocol is a modification of 
LOCKCOM(rt, U) which incorporates cheat-sensitivity 
against Bob. 



The 



commit 



Protocol 1: CS-Bob-LOCKCOM(n,W) 

1: Commit phase: Alice randomly chooses the 
string x S {0, 1}™ and a unitary U r from a set of 
unitaries U known to both Alice and Bob. She 
sends the state U r \x). 

2: Reveal phase: Alice sends r to Bob, he applies 
{U r y to the state that he received from Alice 
and measures in the computational basis. His 
outcome is denoted by y. 

3: Confirmation phase: Bob sends y to Alice. If 
Alice is honest, and if x = y she declares 'accept' 
otherwise 'abort'. 

We proved in Theorem [4] that CS-Bob- 
LOCKCOM(n, {I®™, ff®"}) is a (n, 1, n/2)-/ acc -quantum 
string commitment protocol. In fact this result can be 
extended to dimensions different from d = 2™ where 
one can show that CS-Bob-LOCKCOM(log 2 d, {I, U}), 
where U is the Fourier transform, is a (log 2 d, 1, )- 
J acc -quantum string commitment protocol. 

We now restrict our attention to this protocols and 
prove that a dishonest Bob is detected whenever he has 
obtained a non-zero amount of information about x be- 
fore the reveal stage [48 j . More precisely, we give 
a tradeoff for cheat detection versus Holevo-information 
gain against a dishonest Bob, with the property that ev- 
ery nonzero Holevo-information gain leads to a nonzero 
detection probability of Bob. 

Theorem 5 // Bob is detected cheating with probability 
less than e, then his Holevo information gain obeys 

X{£°) <4^1og 2 d + 2 M (2Vi). 

As a corollary we find that CS-Bob- 
LOCKCOM(log 2 d, {I, U}) is cheat sensitive against 
Bob. 

Corollary 1 Bob will be detected cheating with a 
nonzero probability, if he gathers a nonzero amount of 
Holevo information. 



B. Proof 

We start this section with a description of the sequence 
of events for the case where Alice is honest and Bob ap- 
plies a general cheating strategy (see also Figure [2| . 



phase 



of 



LOCKCOM(log 2 d, {I, U}) is 



the protocol 
equivalent to 



the following procedure: Alice prepares the state 



1 

2d 



^2\x) x \r) R \r) R 'u r \x) Y 

x.r 



on the system XRYR' and sends system Y (over 
a noiseless quantum channel) to Bob. It is under- 
stood that U° = I and U 1 = U. Note that R' 
contains an identical copy of R and corresponds to 
the reveal information. 

Bob's most general cheating operation can be de- 
scribed by a unitary matrix V c heat that splits the 
system Y into C and Q. C contains by definition 
the information gathered during cheating and is not 
touched upon later on [48] . 



V, 



chea I 



Y^CQ 



The map V c heat followed by the partial trace over 
Q is denoted by A c and likewise V c heat followed by 
the partial trace over C is denoted by A**. 

Alice sends the reveal information R' to Bob. 

Bob applies a preparation unitary V prepare to his 
system. Since C will not be touched upon, the 
most general operation acts on R'Q only: 



V, 



prepare 



R'Q -> R'ST. 



Bob then sends S to Alice and keeps T. 

• Alice measures S in the computational basis and 
compares the outcome to her value in A. If the 
values do not agree, we say that Alice has detected 
Bob cheating. The probability for this happening 
is given by 



1 d 

x=l 



(1-Tv\x)(x\p s x ) 



where = Tr 



x R RiT\x)(x\\^)(i>\ XRRST , and 
xrr st j g ^ ne p Ure s tate of the total system af- 
ter Bob's application of Vp repare . 

Note that Alice measures in the computational basis since 



for honest Bob V r 



prepare 



^-*/r' 



r'e{0,l} 



\r')(r'\ <g> {U r )\ 



which case his outcome agrees with the committed value 
of an honest Alice. 

Before we start with the proof of Theorem |5j we define 
ensembles depending on the classical information con- 
tained in XR, i.e. for Z e {C, Q}, define £^ = {p x ,Px r } 
with 



2 

Pxr 



1 



PxPr 



-Tr 



XRR 



cq\z\xr) (xr\\<ip){ip\ 



XRR'CQ 
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FIG. 2: Execution of CS-Bob-LOCKCOM with honest Al- 
ice on the left and cheating Bob on the right. Time flows 
downwards. 



and for Z £ {S,T} let £? = { Px , p% r } with 

^xrwcstxzW) (xr\ |V) (^\ XRR ' CST . 



Pxr 



Sometimes we are only interested in the ensemble aver- 
aged over the values of r: for Z € {C, Q, 5, T} 

£ Z = {Px, Pi } where p z x = - (pf + p z xl ) . (5) 

Let us now come to two technical lemmas, most no- 
tably a channel uncertainty relation (Lemma[5| that was 
discovered in connection with squashed entanglement: 

Consider a uniform ensemble £ = {i, \i)}f =1 of ba- 
sis states of a Hilbert space TL and the ensemble £\ — 
{g,J7|i)}f =1 rotated with a unitary U. Application of 
the completely positive trace preserving (CPTP) map A 
(with output in a potentially different Hilbert space) re- 
sults in the two ensembles 



A(£ )H 5> A(|i)<i|) 



with Holcvo information for £q given by 
x(A(£o)) = H ^£A(K)(z|)^ -^H(H\i)(i\)) 

and similarly for E\. Consider also the quantum mutual 
information of A relative to the maximally mixed state 
t = 4l, which is the average state of either £q or £\\ 

7(r;A) = H(t) + H(A(t)) - H ((I ® A)(|^)(^|)), 

where \ipd) is a maximally entangled state in dimension 
d purifying t. 



Lemma 5 (Channel Uncertainty Relation |39j) 

Let U be the Fourier transform of dimension d, i.e. of 
the Abelian group of integers modulo d. More gener- 
ally, U can be a Fourier transform of any finite Abelian 
group labeling the ensemble £o, e.g. for d — 2 £ , and the 
group U = H® with the Hadamard transform H of 
a qubit. Then for all CPTP maps A, 



X (A(£b))+x(A(£i)) <J(r;A). 



(6) 



The following technical lemma is a technical conse- 
quence of Fannes' inequality. 

Lemma 6 Let £ = {pi,pi = be an ensemble 

of pure states and £ = {pi,o~i} be an ensemble of mixed 
states, both on C . // ^2 i Pi(ipi\c r i\ , 4'i) > 1 — e, then 

|X(£)-X(£)I <4yelog 2 d+2 M (2Ve), 
where /.i(x) = min{— xlog 2 x, ^}. 
Proof. The justification of the estimate 

i i i 

where Si — 5(pi,o~i) is as follows: the second inequality 
is a standard relation between the fidelity and the trace 
distance and the third follows from the convexity of the 
square function. Strong convexity of the trace distance 
implies 5(p, a) < ^/e. Fannes' inequality will be applied 
to the overall state 

\H{p) - H(a)\ < 2Velog 2 d + mm{r,(2s/e), -} 

e 

where rj(x) = — xlog 2 x, and to the individual ones 
Y J P l \H{a l ) - H{ Pl )\ < (^pA)21og 2 d + 



min{7 7 (2<5 i ),-} 

e 



< v / e21og 2 d + miia{?7(2v / e), -} 

where the last inequality is true by the concavity of 
77(2;). Inserting these estimates in the Holevo x quantities 
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X {£) = H{p) and X (S) = H(a) 
the proof. 



J2iPi^( a i) concludes 
□ 



Proof. [Proof of Theorem [5] Let £q and £\ be defined as 
in Lemma [5] In the commit phase of the protocol, Alice 
chooses one of the ensembles (each with probability \), 
and one of the states in the ensemble (each with prob- 
ability g). The justifications for the following estimate 
are given in a list below. 



x{£§) + x(£?) 
= x (A c (£o)) + x(A c (£i)) 

< I{XRR';C) 

= 2H(XRR') - I{XRR';Q) 

< 2H(XRR') - X (A Q (£o)) - x(A Q (fi)) 
= 2H(XR) - X {£$) - x{£?) 

< 2H(XR)-x(A S o(£?))~x(^(£?)) 
= 2H(XR) - X (£$) - X{£?) 

< 2H{XR) -2 X {£ S ). 



(7) 

(8) 
(9) 
(10) 

(11) 
(12) 

(13) 
(14) 
(15) 



The justifications: 



• Equality ([8]): By definition of the string commit- 
ment scheme and the map A c : £^ = {p x ,Px r } — 
{p x ,A c (U-\x){x\(WY)} =: A c (£ r ). 

• Inequality Application of Lemma [5] for the 
map A c . Note that system XRR' is a reference 
system for the completely mixed state on system 
Y on which the channel A c is applied. Hence 
I{t;A c ) =I(XRR';C). 



• Equality (10): Simple rewriting of the entropy 



terms making use of the definition of quantum mu- 
tual information and the purity of XRR'CQ. 



Inequality (111: Application of Lemma [5] for the 
map A*3. Note that system XRR' is a reference 
system for the completely mixed state on system 
Y on which the channel A^ is applied. Hence 
I(t;AQ) = I(XRR';Q). 



• Equality @: R' is a copy of R: H(XRR') = 
H(XR). By definition of the string commit- 
ment scheme and the map A Q : £® = { Px ,Px r } 

= { Px ,AQ(ir\x)(x\(Wy)}. 



Inequality (l3| and equality ( [l4| : follow from the 
data processing inequality x(A < x(£?) 

and from the definition A H (£^) = £f. 



Inequality (15 1: Finally £ 



{ Px ," S 



PxO PxijY' wn i cn by the concavity of von Neu- 
mann entropy implies x(£ S ) < \ (x(£o) + X{£i ))■ 

If Bob is detected cheating with probability less than 
e, then by Lemma [6] the Holevo quantity x(£ S ) of the 
ensemble given in S that Bob sends to Alice obeys 



X(£ S ) > (l-Vi)logd-2/i(2 > /i). 



(16) 



Inserting inequality ([16| into inequality (15 1 and noting 
that H(XR) = H(Y) = log 2 d proves the claim. □ 

This proves cheat-sensitivity against Bob for the simplest 
protocol of the LOCKCOM family. 



V. CONCLUSION 

We have introduced a framework for quantum com- 
mitments to a string of bits. Even though string com- 
mitments are weaker than bit commitments, we showed 
that under strong security requirements, there are no 
such non-trivial protocols. A property of quantum states 
known as locking, however, allowed us to propose mean- 
ingful protocols for a weaker security demand. Since 
the completion of our original work |40j , Tsurumaru |41j 
has also proposed a different QBSC protocol within our 
framework. 

Furthermore, we have shown that one such protocol 
can be made cheat-sensitive. It is an interesting open 
question to derive a tradeoff between Bob's ability to gain 
information and Alice's ability to detect him cheating for 
the protocol of Theorem [3] as well. 

A drawback of weakening the security requirement is 
that LOCKCOM protocols are not necessarily compos- 
able. Thus, if LOCKCOM is used as a sub-protocol in 
a larger protocol, the security of the resulting scheme 
has to be evaluated on a case by case basis. However, 
LOCKCOM protocols are secure when executed in par- 
allel. This is a consequence of the definition of Alice's 
security parameter and the additivity of the accessible in- 
formation 42, 43 , and sufficient for many cryptographic 
purposes. 

However, two important open questions remain: First, 
how can we construct efficient protocols using more than 
two bases? It may be tempting to conclude that we could 
simply use a larger number of mutually unbiased bases, 
such as given by the identity and Hadamard transform. 
Yet, it has been shown [44] that using more mutually 
unbiased bases does not necessarily lead to a better lock- 
ing effect and thus better string commitment protocols. 
Second, are there any real-life applications for this weak 
quantum string commitment? 
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